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Abstract 

The IEEE 802.11 protocol is a popular standard for 
wireless local area networks. Its medium access control 
layer (MAC) is a carrier sense multiple access with col- 
lision avoidance ( CSMA/CA ) design and includes an ex- 
ponential backoff mechanism that makes it a possible tar- 
get for probabilistic model checking. In this work, we iden- 
tify ways to increase the scope of application of probabilis- 
tic model checking to the 802.11 MAC. Current techniques 
do not scale to networks of even moderate size. To work 
around this problem, we identify properties of the protocol 
that can be used to simplify the models and make verifi- 
cation feasible. Using these observations, we directly op- 
timize the probabilistic timed automata models while pre- 
serving probabilistic reachability measures. We substanti- 
ate our claims of significant reduction by our results from 
using the probabilistic model checker PRISM. 



1. Introduction 

The IEEE 802.11 protocol |9| is a popular standard for 
wireless networks. Its medium access control layer (MAC) 
is a carrier sense multiple access with collision avoidance 
(CSMA/CA) design and includes an exponential backoff 
mechanism that makes it an ideal target for probabilistic 
model checking. This protocol has been modeled using a 
range of techniques such as finite state machines |20| and 
probabilistic timed automata 1 15 1. 

The 802.11 protocol suffers from a potential livelock 
problem, demonstrated formally in |20|, which is mitigated 
only by the presence of a finite retry limit for each data 
packet. The livelock arises because it is possible, although 
improbable, for two stations to behave symmetrically and 
continuously collide until they drop their respective pack- 
ets on exceeding the retry limit. In such a scenario, it is use- 
ful to bound the probability of such pathologically symmet- 
ric behavior. This motivates the application of probabilistic 



model checking to the problem of computing probabilities 
of desired and undesired behavior in the protocol. Two pri- 
mary properties of interest are: the probability of the num- 
ber of retries reaching a certain count and the probability of 
meeting a soft deadline. 

A recent solution to the problem of obtaining these prob- 
abilities has been proposed in 1151 . It models a limited (but 
critical) aspect of the protocol using Probabilistic Timed 
Automata (PTA) 1 14 1 and exploits available tools, namely, 
the Probabilistic Symbolic Model Checker (PRISM) OEl 
for computing the probability values and the real time 
model checker Uppaal 1 18 1 as a proof assistant. Results on 
the probability of the backoff counter on a station reaching a 
particular value and the probability of a packet being trans- 
mitted within a certain deadline are presented. This work, 
however, suffers from scalability problems. The model as- 
sumes only two stations (sender destination pairs). When 
we extended the models to 3 stations (and 3 correspond- 
ing destinations), which is a practical sized network topol- 
ogy, we found it computationally infeasible to model check 
properties of interest. These problems are compounded by 
an inaccurate assumption that the packet length can vary on 
every retransmission. 

The aim of this work is twofold. First, we present a more 
accurate and scalable model for the protocol. Second, we 
set up a logical framework to exploit protocol specific re- 
dundancies. Under this framework, we perform a number of 
provably correct optimizations that reduce the generalized 
multi station model. The optimizations involve abstracting 
away the deterministic waits, and considering only a sub- 
set of the allowed packet sizes that nevertheless captures all 
the relevant behavior. In addition, we duplicate the model 
reduction technique of 1 15 1 for the multi station problem. 

Our reduced models are immediately verifiable in 
PRISM and require no further tools. However, the op- 
tion of using tools like RAPTURE |6| on the reduced 
PTA models remains. Our results show a reduction 
in state space over the existing solution for two sta- 
tions. We are also able to successfully model check a 



topology of three station that was infeasible with the cur- 
rent models. 

The organization of the paper is as follows. We begin 
with the modeling formalism used in this paper. We present 
the scalable models for the multi station 802.11 problem 
and discuss the behavior of the protocol. Next, we present 
a notion of equivalence in probabilistic systems that ab- 
stracts away deterministic deterministic paths in the sys- 
tem but preserves probabilistic reachability. We give suf- 
ficient requirements for equivalence both at the level of 
untimed probabilistic systems and probabilistic timed au- 
tomata. Based on this framework, we present our set of re- 
ductions to the generalized model for the multi station prob- 
lem. We also show that we can verify soft deadlines inspite 
of these optimizations. We conclude with results that detail 
state space reduction as well as case studies for a three sta- 
tion topology. 

2. Modeling formalism for the 802.11 proto- 
col 

In order to efficiently model and verify the 802.11 pro- 
tocol, we need a modeling formalism that can represent 
the protocol at sufficient depth and, at the same time, must 
be amenable to transformations for more efficient verifica- 
tion. We have been guided by the existing work in 1 15 1 in 
our choice of Probabilistic Timed Automata to model the 
802.11 protocol. 

We introduce Probabilistic Timed Automata (PTA) 1 14 1, 
Probabilistic Systems (PS) 1151 [T9 1 and fully probabilistic 
systems (FPS). All these have been surveyed in |12| with 
special reference to their relationship in the context of prob- 
abilistic model checking. 

Let x be a set of non-negative real valued variables called 
clocks. Call Z the set of zones over x, which is the set 
of all possible atomic constraints of the form x ~ c and 
(x — y) ~ c and their closure under conjunction. Here 
X ,V G x> ~ G {<, <, >, >} and c G N, where N is the 
set of natural numbers. A clock valuation v is the assign- 
ment of values in R>o(where R>o is the set of non-negative 
reals) to all clocks in %. The concept of a clock valuation v 
satisfying a zone Y, indicated as v < Y, is naturally derived 
by assigning values to each clock in the zone and check- 
ing whether all constraints are satisfied. 

Definition 1 A probabilistic timed automaton is a tuple 
(L, I, x, E, /, P) where L is a finite set of states, I is the ini- 
tial state, x is the set of clocks and E is a finite set of labels 
used to label transitions. The function I is a map I : L — > Z 
called the invariant condition. The probabilistic edge rela- 
tion P is defined as P <Z Lx Z xY,x Dist(2 x x L), where 
Dist(2 x x L) is the set of all probability distributions, each 
elementary outcome of which corresponds to resetting some 



clocks to zero and moving to a state in L. We call a distin- 
guished (not necessarily non-null) subset E" of the set of 
events as urgent events. 

A critical feature of PTAs that makes them powerful 
modeling tools is that each transition presents probabilis- 
tic choice in the PTA while different outgoing probabilistic 
transitions from a state present non-deterministic choice in 
the PTA. Hence, a PTA can model non-determinism, which 
is inherent in the composition of asynchronous parallel sys- 
tems. 

Composition of PTAs is a cross product of states with 
the condition that the composed PTAs must synchronize on 
shared actions. For a detailed description see 1151 . 

A feature of PTAs that is useful for higher-level mod- 
eling is urgent channels. Urgent channels are a special set 
of edge labels (symbols) on which a PTA must synchronize 
whenever possible. 

Definition 2 A probabilistic system (PS), is a tuple 
(S,s,T,, Steps) where S is a finite set of states, s is the 
start state, E is a finite set of labels and Steps is a func- 
tion Steps : S -> 2 SxDlsf ( s ) where Dist(S) is the set of 
all distributions over S. 

This is the same as the simple probabilistic automaton of 

ED. 

Definition 3 Given a PTA T= (L,l, x, E, I, P), 
the semantics of T is the Probabilistic System 
[[T]]— (S,s, Act, Steps), with the following defini- 
tions: 

S C L x is the set of states with the restric- 

tions (s, v) € S iff( s £ L and v < 1(1)) ands = (7, 0). 

Act = R>o U E. This reflects either actions correspond- 
ing to time steps (R>o) or actions from the PTA (E). 

Steps is the least set of probabilistic transitions contain- 
ing, for each (l,v) G S, a set of action distribution pairs 
(a, fi) where a G E and fi is a probability distribution over 
S. Steps for a state s — (l,v) is defined as follows. 

I. for each t G R>o if, p) G Steps(s) iff 

1. p(l,v + t) = 1 and v + t' < 1(1) for all < t' < t. 

2. For every probabilistic edge of the form (I, g, a, —) G 
P, if v + t' <lgfor any <t'<t, then a is non-urgent. 

II. for each (l,g,a,p) G P, let (a, p) G Steps(s) iff v <s 
g and for each (V ,v') G S: (J,(l',v') = ^xc x kv'=v[x-.=o] 
p(X, V), the sum being over all clock resets that result in 
the valuation v'. 

A critical result 1 17 1, analogous to the region construction 
result for timed automata, states that it is sufficient to as- 
sume only integer increments when all zones are closed 
(there are no strict inequalities). Hence, the definition given 



above is modified to S C L x and Act = N U S. Un- 
der integer semantics, the size of the state space is propor- 
tional to the largest constant used. For the rest of this paper, 
we will assume integer semantics. 

Note that, in the presence of non-determinism, the prob- 
ability measure of a path in a PS is undefined. Hence, define 
an adversary or scheduler that resolves non-determinism as 
follows: 

Definition 4 An adversary of the Probabilistic System V = 
(S,s, Act, Steps) is a function f : S — > U s< =sSteps(s) 
where f(s) £ Steps(s). 

We only consider simple adversaries that do not change 
their decision about an outgoing distribution every time a 
state is revisited, their sufficiency has been shown in |5|. 
A simple adversary induces a Fully Probabilistic System 
(FPS) as defined below. 

Definition 5 A simple adversary A of a Probabilistic Sys- 
tem V — (S,s, Act, Steps) induces a Fully Probabilis- 
tic System (FPS) or Discrete Time Markov Chain V A — 
(S,s, P). Here, P(s) — A(s), the unique outgoing proba- 
bility distribution for each s € S, where we drop the edge 
label on the transition. 

Thus, given a PS M. and a set of "target states" F, con- 
sider an adversary A and the corresponding FPS AA A . A 
probability space (Prob A ) may be defined on Ai A via 
a cylinder construction |11|. A path lj in A4 A is sim- 
ply a (possibly infinite) sequence of states ~ssis 2 ... such 
that there is a transition of non-zero probability between 
any two consecutive states in the path. For model check- 
ing, we are interested in 

ProbReach A (F) d = Prob A {uj G Path^ | 3i G 
N where u>(i) G F}. F is the desired set of target states, 
u)(i) is the i th state in the path u> and Path^ represents 
all infinite paths in M A . Define MaxProbReach M (F) and 
MinProbReach A1 (F) as the supremum and infimum re- 
spectively of {ProbReach A (F)} where the quantification 
is over all adversaries. 

3. Logic Formulas Under Consideration 

Properties of interest at the PTA level are specified us- 
ing Probabilistic Computational Tree Logic (PCTL) formu- 
las Q. We limit ourselves to restricted syntax (but non 
trivial) PCTL formulas, expressible as Pr^\{()p}, where 
{<,>,<,>} and A is the constant probability bound 
that is being model checked for. These PCTL formulas 
translate directly into a probabilistic reachability problem 
on the semantic Probabilistic System corresponding to the 
PTA. The reason for this restriction is that, in the case of 
the 802. 1 1 protocol, the properties of interest, including the 



real time ones, are all expressible in this form. For exam- 
ple, in the case of a probabilistic timed automaton A, the 
PCTL formula P<o.5 {Op} directly translates to maximum 
probabilistic reachability on the induced Markov decision 
process [[A]] from a well-defined start state. We mark the 
target states as those where the proposition p is true. The 
model checker returns true when this maximum probabil- 
ity is smaller than 0.5. Under this restricted form of PCTL, 
we indicate numerical equivalence using the following no- 
tation. 

Definition 6 Two probabilistic systems V\ and V 2 are 
equivalent under probabilistic reachability of their respec- 
tive target states F\ and F% denoted by 

V\ ^Fi,_F 2 V 2 when MaxProbReach Pl {F 1 ) = 
MaxProbReach V2 (F 2 ) 

and MinProbReach Vl (Fx) = MinProbReach V2 (F 2 ). 

PTA 

Definition? PTA X = 01i02 PTA 2 when 

PS 

[[PTAt]] = Fi ,F 2 [[PTA 2 ]\. The criterion for mark- 
ing target states is that F\ corresponds to the target 
states in the reachability problem for the PCTL for- 
mula <pi, while F 2 corresponds to the target states for the 
PCTL formula <p 2 . 

4. Probabilistic Models of the 802.11 Protocol 

In this section, we present scalable probabilistic models 
of the 802.1 1 basic access MAC protocol assuming no hid- 
den nodes 1 . The model for the multi-station 802. 1 1 problem 
consists of the station model and a shared channel, shown 
in Figures|4]and[9]respectively. We assume familiarity with 
conventions used in graphical representation of timed au- 
tomata. In particular, the states marked with a 'u' are ur- 
gent states while that marked by concentric circles is the 
start state. The station models are are replicated to represent 
multiple sender-destination pairs. Some critical state vari- 
ables are: be that holds the current backoff counter value, 
txJen that holds the chosen transmission length and back- 
off that represents the current remaining time in backoff. 
The function RANDOM(bc) is a modeling abstraction that 
assigns a random number in the current contention window. 
Similarly, NON _DET(TX ' _MIN TXJAAX) assigns a 
non-deterministic packet length between TX_MIN and 
TX-MAX, which are the minimum and maximum al- 
lowable packet transmission times respectively. The val- 
ues used for verification are from the Frequency Hopping 
Spread Spectrum (FHSS) physical layer |9|. The transmis- 
sion rate for the data payload is 2 Mbps. 



1 In the absence of hidden nodes | 3], the channel is a shared medium 
visible to all the stations. 



The station automaton shown in Figure 0] begins 
with a data packet whose transmission time it se- 
lects non-deterministically in the range from 258/is to 
15750/is. On sensing the channel free for a Distributed In- 
terFrame Space (DIFS = 128/xs), it enters the Vulnerable 
state, where it switches its transceiver to transmit mode and 
begins transmitting the signal. The Vulnerable state also ac- 
counts for propagation delay. It moves to the Transmit 
state after a time VULN = 48/Us with a synchroniza- 
tion on send. After completing transmission, the station 
moves to Test -channel via one of the two synchroniza- 
tions, finish-correct on a successful transmission and 
finish ^garbled on an unsuccessful transmission. The chan- 
nel keeps track of the status of transmissions, going into 
a garbled state whenever more than one transmission oc- 
curs simultaneously. The station incorporates the behav- 
ior of the destination and diverges depending on whether 
the transmission was successful, or not. If the transmis- 
sion was successful, the portion of the station corre- 
sponding to the destination waits for a Short InterFrame 
Space (SIFS — 28 /is) amount of time before trans- 
mitting an ack, which takes ACK = 183/is amount of 
time. 

On an unsuccessful transmission, the station waits for 
the acknowledgment timeout of ACK -TO = 300/is. It 
then enters a backoff phase, where it probabilistically se- 
lects a random backoff period backoff= RANDOM(bc). 
RANDOM (be) is a function that selects with uniform 
probability, a value from the contention window given by 
the range [0, (C+ l).2 bc — 1], where C is the minimum con- 
tention window (15/xs for the FHSS physical layer). The 
backoff counter ( be) is incremented each time the station 
enters backoff. The backoff counter is frozen when a sta- 
tion detects a transmission on the medium while in back- 
off. 

The station and channel models are different from those 
in 1 15 1. The station now fixes a packet transmission length 
non-deterministically and remembers it rather than allow it 
to vary on every retransmission. The channel of 1151 as- 
sumes a fixed topology of two stations, while the channel 
depicted in Figure [9] is generalized for an arbitrary number 
of stations. It follows a different design from that in 1 15 1, 
which if generalized would have states exponential in the 
number of stations. Ours is only linear. Since the models are 
generalized to an arbitrary number of stations, the synchro- 
nization labels have subscripts indicating the station num- 
ber. However, in the rest of the paper we drop subscripts 
whenever the station number is clear from the context. 

We point out here that we start with an abstracted sta- 
tion model, which incorporates the deterministic destina- 
tion. That this is a valid abstraction has already been shown 
for the two station case in 1151 . The extension to the multi 
station case does not represent any significant new result 



and hence has been omitted. 

5. Compression of Deterministic Paths: A 
Technique for State Space Reduction 

In the 802.11 protocol, there are numerous cases 
where the component automata representing the sys- 
tem simply count time or where different resolutions of 
non-determinism lead to same state but through differ- 
ent paths. If we are verifying an untimed property then such 
fine grained analysis increases state space without any con- 
tribution to probabilistic reachability. We discovered on 
studying these models that it is possible to derive al- 
ternative optimized probabilistic timed automata that 
avoid the cost of such unnecessary deterministic behav- 
ior by compressing these deterministic paths into equiv- 
alent but shorter paths. The problem is the lack of a 
suitable formalism to support our optimizations. This sec- 
tion provides a framework that can be used to justify 
the equivalence of our optimized models to the origi- 
nal ones. 

For purposes of comparison, we assume that the state 
space is a subset of an implicit global set of states. This al- 
lows operations such as intersection and union between the 
set of states of two different automata. In particular, for this 
paper we consistently name states across the automata we 
consider. 

Our objective is to formalize "deterministic" behavior of 
interest. The key relationship used in this formalization is a 
specialization of dominators as defined in 1 6 1 . We refer to 
this restricted version of dominators as "deterministic dom- 
inators" in the rest of this paper. 

Definition 8 For a distribution tt over the finite elemen- 
tary event set X, define the support of the distribution as 
supp(ir) = {x G X | tt(x) > 0} 

Definition 9 Given a probabilistic system consisting of the 
set of states S, define -<d as the smallest relation in S x S 
satisfying the following: Vs G S 
s -<£) s and 

3t G 5[V(a,7r) G Steps(s) : 3x (supp(jr) = {x}) A 
(x < D t)] =^s-< D t 

If the relation s -<o t holds then we say that t is the deter- 
ministic dominator of s. 

An example of a deterministic dominator is shown in the 
probabilistic systems of Figure[T] where S -<d T. 

Definition 10 Given distributions P\ over S\ and P2 over 

S2, define P\ = Pi when supp[P\) — suppiPi) — S and 
Vs G S we have Px(s) — Piis). 

Based on the notion of equivalence of distributions, we de- 
fine the notion of equivalence of sets of distributions. Let 




Figure 1 : Two related Probabilistic Systems 



Steps 1 be a set of labeled distributions over S± and Steps 2 
be a set of labeled distributions over S2 ■ 

Definition 11 Steps l = Steps 2 whenever 

y(a, Hi) 6 StepSi /i 2 ) G Steps 2 such that px = [i 2 

andV(a, ^2) G Steps 2 3(6, /ii) £ Steps 1 with [i 2 = 

Define a path in a probabilistic system as follows: 

Definition 12 A paf/i in the probabilistic system 
V = (S 1 , s, S, Steps) is a sequence of state-action 
pairs (si, ai), (s2, 02)--( s "+i) smc/i that Vi G {l..n} we 
Ziave 3(aj,;ti) G Steps(si) such that /i(sj+i) > 0. 

5.1. Deterministic Path Compression in Proba- 
bilistic Systems 

Consider the two probabilistic systems of Figure^ each 
of which has the start state U. It should be clear that each 
of MaxProbReach(X) and MinProbReach(X) takes the 
same value in both the systems since we have only removed 
(compressed) the deterministic segment B — > C. We for- 
malize this notion of deterministic path compression at the 
level of probabilistic systems in theorem[2 

Consider two finite probabilistic systems 
PSx(Sx,s, Act, Steps-y) and PS^S^, s, Act, Steps 2 ) 
with an identical set of actions. All transitions in Steps 1 
and Steps 2 are simple transitions of the form (s,a, //) 
where s is the originating state, a G Act and /1 is a prob- 
ability distribution over the state space. Note that the Si 
and 5 2 are necessarily not disjoint because of the com- 
mon start state s. 

Definition 13 If, for some s G Sx fl S 2 , Steps^s) = 
Steps 2 (s) does not hold then s is a point of disagreement 
between the two probabilistic systems. 



Theorem 1 (Equivalence in Probabilistic Systems) 

Given two probabilistic systems PS \{Sx,s, Act, Steps t ) 
and PS 2(82, s, Act, Steps 2 ) satisfying the following con- 
ditions: 

1. For any state s G Sx H S2, if s is a point of disagree- 
ment then 3t G Sx fl S2 such that, t is not a point of 
disagreement and in each of the systems, s -<jj t. 

2. Let Fi C Si and F2 C S 2 be sets of target states we 
are model checking for. We impose the condition Si fl 
S2 H Fi — Sx n S2 n F 2 . For every s G Sx H S2, which 
is a point of disagreement we have the following: For 
the postulated deterministic dominator t and for every 
state u on any path in PSx between s and t, u G Fx => 
(s G Pi)V(f G -Fi). Similarly, for every state u on any 
path in PS 2 between s and t, U G F2 =^ (s G -F2) V 

(teFa). 

Under these conditions, PSx = Fi,f 2 PS2- 

The proof follows from first principles by setting up a bi- 
jective mapping between paths in the two probabilistic sys- 
tems. The complete proof is available in 1 1 1. 

5.2. Equivalence of Probabilistic Timed Automata 

Given two Probabilistic Timed Automata PTAi and 
PTA2 and their respective restricted PCTL requirements 
<j>x and <f>2, we need a set of conditions under which we 

PTA 

may claim PTA X = ^ ^ PTA 2 . By Definition f7J this 

PS 

is equivalent to showing that [[PTAi]] = Fu f 2 [[PTA 2 ]], 
where Fx and F 2 are the corresponding target states of <f>x 
and (f> 2 respectively. Our optimizations are based on deter- 
ministic path compression as outlined in Section [5] Hence, 
we impose requirements on PTAx and PTA2 under which 
we can apply theoremEto [[PTAi]] and [[PTA 2 ]] to de- 

PS 

duce [[PTAi]] = Fl .F 2 [[PTA 2 ]]. The following lemmas 
have the objective of establishing these requirements. 

Consider two Probabilistic Timed Automata with 
an identical set of clocks and events: PTAx = 

(Lx,h,X,^,h,Pi) and PTA 2 = (L 2 ,b,x,E,i"a,ft). 
We assume that the automata have the same set of ur- 
gent events, T, u . 

Definition 14 A state s G Lx fl L 2 is a point of disagree- 
ment between the two probabilistic timed automata if either 
they differ on the invariant or they differ in the set of out- 
going transitions. Taking a transition out of a state s as the 
tuple (s,z,cr, P(2 X x L)), call two transitions different if 
they disagree on either the guard z, or the event label on 
the transition a, or the distribution P(2 X x L). 

The semantic probabilistic systems are [[P2!Ai]] and 
[[PTA 2 ]] respectively. Let States ([[PTAx]]) and 



States([[PTA2\\) denote states of the semantic proba- 
bilistic systems for PTA\ and PTA% respectively. The 
states in the semantic PS are tuples (s, v) where s is a state 
of the PTA and v is a clock valuation. 

Lemma 1 A state (s,v) <E States{[[PTA{\]) n 
States([[PTA2\\) is a point of disagreement (with re- 
gard to condition 1 of theorem^} between the two PS im- 
plies that s is a point of disagreement between PTA\ and 
PTA 2 . 

The condition that labels should also be identical might 
seem too restrictive considering that we are only interested 
in probabilistic reachability. However, the next set of lem- 
mas will show that when composing PTAs labels are impor- 
tant. 

Most real world systems and the 802. 1 1 protocol in par- 
ticular are modeled as a composition of PTAs. In a com- 
posed system, the above lemma will only tell us whether a 
particular common state in the PTA can generate a point of 
disagreement in the semantic PS. This common state rep- 
resents the composed state of all the PTAs composing the 
model. The next few lemmas extend lemma to the sce- 
nario of composed probabilistic timed automata. 

Definition 15 Consider two PTAs formed of compositions, 
as follows. 

PTA X = PTA\ || PTA\ || PTA\ \\ .. \\ PTA\ and 
PTA 2 = PTA\ || PTA\ || PTA\ jj .. jj PTA 2 n . 
Define the difference set as the set D C {1, 2, .., n} such 
that Vi G D : PTA] ^ PTA 2 and Vi £ D : PTA] = 
PTA 2 . By equality we mean exactly the same automaton in 
both the compositions ( component wise equality of the tu- 
ples defining them). 

Definition 16 We define the specific difference set for the 
index i £ D as Di C states(PTA\)C\states(PTA 2 ) where 
Di is the set of states that disagree across the automata as 
outlined in definition \14\ For every i (jL D set Di = 0. 

Lemma 2 Consider the composed PTA models of Defini- 
tion 1751 Let S common be the set of common states be- 
tween PTA\ and PTA 2 . A composed state in S common , say 
(h, I2, ■■, l n ) is a point of disagreement between PTA\ and 
PTA2 implies that at least one automaton is in its specific 
difference set. 

In the composed PTAs of definition^] Each state in the se- 
mantic PS for a PTA is a combination of states and clock 
valuations of the individual PTA in the composition. The 
next lemma combines lemma[0and lemma|2] 

Lemma 3 (PTA ievel requirements) A state in 
States{[[PTAi]]) n States([[PTA 2 ]]) = (si,s 2 ..,s n ,v) 
is a point of disagreement implies that for at least one 
i G {l..n}, the common state Si of both PTA] and PTA 2 
is an element of their specific disagreement set. 



The purpose of lemma|3]is to identify precisely those states 
in the component PTA that may cause a disagreement in the 
PS for the composed system. 

5.3. Proof Technique 

We will use the framework in this section to prove the 
correctness of our reduced models. Although our objective 
is the 802.11 protocol, the concept of deterministic path 
compression has been developed in a generalized manner 
anticipating its application to other protocols. 

To prove that a reduced PTA model (PTA2) correspond- 
ing to the original PTA model (PTAi) is correct, we need 

PTA 

to prove that PTA\ = ^ u< j, a PTA 2 . Here 4>\ an d 02 are 
the corresponding PCTL formulas in the two models. For 
our purposes <fii = <p2 since we are interested in proving 
that we will arrive at the same result for the same particu- 
lar PCTL formula. We proceed with the proof in the follow- 
ing manner. 

1. Identify the difference set (Definition II 5>. Compute the 
specific difference set of each component automaton in the 
difference set using Definition^] This is easily done by a 
visual inspection of the automata. 

2. Identify composed states where one or more automata 
are in their specific difference set. At this point we use pro- 
tocol specific proofs to limit such combinations to a man- 
ageable size. From Lemma|2]we know the set of composed 
states obtained in this step is a superset of the actual differ- 
ence set across the composed PTA. 

3. For each composed state, we argue about the possible 
evolution of the untimed model obtained through Defini- 
tion0 We show that in each case 

i) There is the same deterministic dominator in each of 
[[PTA{\] and [[PTA 2 ]]. This is the hardest part of the proof. 
However, we use the fact that the deterministic domina- 
tor state in the PS is expressible as the combination of a 
composed state and clock valuation in the PTA. Hence the 
proofs are in terms of the PTA rather than the PS. We gener- 
ally show that each component automaton reaches the state 
in the composition and progress can only be made when the 
entire model is in the composed state. 

ii) Final states in [|PTii|] and [[PT^]], corresponding to 
the PCTL formulas <fri and (j>2 respectively, are distributed 
as specified in condition 2 of Theorem[2 

From Lemma |3] we know that this is sufficient for Theo- 
remnjto hold. Hence we conclude that at the level of PTAs 

PTA 

PTA 1 = PTA 2 . 

Deterministic Path Compression, at the level of Proba- 
bilistic Systems bears similarity to weak bisimulation |19| 
that can abstract away internal actions. However, a notable 
difference in our approach from weak bisimulation is that 
we are able to change invariants on states in the Probabilis- 
tic Timed Automata. This corresponds to removing time 



steps (Definition in the corresponding semantic proba- 
bilistic system. These time steps are not internal actions be- 
cause composed probabilistic systems must synchronize on 
time steps to maintain the semantics of PTA composition. 
A possibility would be to apply weak bisimulation to the fi- 
nal composed model but this would mean fixing the number 
of stations in the composition. The reduced models would 
no longer be valid for the general multi station problem. 

6. Reducing the 802.11 Station Automaton 

For the 802.1 1 problem, we optimize the station automa- 
ton, in multiple steps, starting from the original abstract sta- 
tion model of Figure |4] In each case, the set of final states 
correspond to the PCTL formula <j) = P < \[(}(bc = k)]. For 
every reduction from PTA\ to PTA2, we prove the correct- 

PTA 

ness of our optimizations by showing that PTA\ = ^ 
PTA 2 . Due to space constraints, we omit the complete 
proofs (they are available in Q]) and only motivate the key 
ideas. Our proofs are driven by behavior exhibited by the 
802. 1 1 PTA models. For example, a key aspect of many of 
our proofs is the fact that 802. 1 1 backoff counters are frozen 
when a busy channel is detected. This sets the 802.11 pro- 
tocol apart from other contention based protocols such as 
the 802.3 |8| and is useful because we can essentially ig- 
nore stations in backoff when the channel is busy. 

6.1. Removing the SIFS Wait 

Our first optimization removes the SIFS wait fol- 
lowing a successful transmission. The original model is 
AbsLAN = AbsStnx \\ AbsStn 2 \\ .. \\ AbsStn n \\ Chan 
and the reduced model is IntLAN = IntStni 
IntStn 2 || .. || IntStn n \\ Chan. The intermediate sta- 
tion model IntStn with the SIFS wait removed in shown 
in Figure [5] The difference set (see Definition 1 1 51 in- 
cludes all the stations and does not include the chan- 
nel, which is unchanged. The specific difference set is only 
the Test-Channel urgent state immediately after assert- 
ing finish ^correct. The key idea of the proof is as fol- 
lows: All the other stations will detect the busy channel 
and move into the Wait -until -free or Wait -until -free -II 
state. The successfully completing station will move into 
the Done state while the rest of the stations will move ei- 
ther into Wait_for-DIFS or WaitJor-DIFS JI states, 
which gives us a deterministic dominator in both the au- 
tomata {AbsLAN and IntLAN). In the proof, we exploit 
the fact that in the 802.11 protocol, the backoff coun- 
ters are frozen when a transmission is detected on the 
channel. This is modeled by the station in Backoff mov- 
ing into the Wait -until -free -I I state. The key idea of the 
proof, in an example for three stations, is shown in Fig- 
ureE 



6.2. Removing the DIFS Wait 

In the final reduced station model RedStn of 
Figure the DIFS wait has been removed. The 
model is given by the composition RedLAN = 
RedStni\\RedStn2..\\RedStn n \\Chan. Proving the deter- 
ministic dominator relationship is a little more complicated 
here because we need to consider both collision and suc- 
cessful transmission cases. In each case however, all sta- 
tions detect the busy channel and move to Wait -until _free 
or Wait -until -free -II. The specific difference set 
consists of Wait -until -free, Wait -until -free -II and 
Wait -for -ACK -TO. In the semantic probabilistic sys- 
tem corresponding to the composed model we can always 
prove that for any point of disagreement and for any ad- 
versary, there is always a deterministic dominator, which 
is the state of the system after the DIFS wait is over. 
The key idea for a three station example is shown in Fig- 
ure 

In RedStn we continue to keep the W ait-f or -DIF S 
state. The reason for this is as follows. It is possible for a 
station to leave Wait J or -ACK -TO and wait for DIFS 
amount of time while all other stations which have not trans- 
mitted are sitting in Backoff. Since the amount of time spent 
in backoff is unpredictable, there is no deterministic domi- 
nator. Consequently, we cannot simply remove the DIFS 
wait after W 'ait-f 'or -ACK -TO. However, we may always 
remove the transition into this state due to the DIFS wait 
on detecting a busy channel after transmission. Again, a key 
component of the proof is the fact that 802. 1 1 backoff coun- 
ters are frozen on detecting a busy channel. This allows us 
to essentially ignore the stations in backoff during transmis- 
sion. 



6.3. Restricting the allowed transmission length 

The major contributor of state space in the protocol is 
the large range of allowed transmission lengths. The range 
is from 315/j,s to 15717/is and this proves to be a signifi- 
cant impediment. 

We make a minor change in our PTA models, with the 
objective of making the proofs of equivalence more direct. 
Rather than having a non-deterministic edge that selects 
packet lengths, which are subsequently held constant, we 
parameterize the models by a packet length and remove 
the non-deterministic choice. Hence, we now have a se- 
ries of PTA models depending on the choice of parame- 
terizations. The allowable assignment of packet (transmis- 
sion) lengths is from Par' ul1 , the set of all possible pa- 
rameterizations. Each of txJeni, .., txJen n is assigned a 
value from the interval [TX-MIN, TX-MAX}. Formally, 
Par fuU = [TX-MIN, TX-MAX}". 



Consider the reduced set of parameterizations 

p ar reduced Q p^full = TX _MIN 

and tx_len i+ i — txJerii < VULN, 1 < i < n. Here 
we restrict the maximum allowable increase in trans- 
mission length of one station over its immediate pre- 
decessor. This eliminates many parameterizations that 
would have assigned transmission lengths close to maxi- 
mum resulting in a large state space. We have shown using 
the framework of Section [5] that it is sufficient to con- 
sider only this limited range of transmission lengths. 
The key objective is to show that for every model PTA\ 
whose parameters are selected from Par ful1 , there ex- 
ists a model PTA2 whose parameters are contained in 

p ar reduced ^ ^ PTA ^ ^ ^ 

cific difference set is only the Transmit state whose 
invariant is different in the two models (due to differ- 
ing transmission lengths). Again, we use the fact that 
802.11 backoff counters are frozen during transmis- 
sion. This means that changing the transmission length has 
no effect on stations that were in backoff when the chan- 
nel became busy. The hardest part is to select a proper 
model from p ar reduced SU ch that any m stations in a gen- 
eralized n-station scenario, that collide by transmitting 
simultaneously, complete transmission in the same or- 
der in both the models. This is necessary because an 
inspection of the station automaton shows that during a col- 
lision, any station that finishes while some other station is 
still occupying the channel, would detect the busy chan- 
nel and behave differently from the station that finished 
last. Hence ensuring that stations finish in the same or- 
der leads to the same deterministic dominator in both the 
models. 

7. Soft Deadline Verification 

The probability of meeting soft deadlines, which is the 
minimum probability of a station delivering a packet within 
a certain deadline, is a real time property that can be for- 
mulated as a probabilistic reachability problem. For exam- 
ple, in an 802.11 topology of three senders and three re- 
ceivers, we are interested in the probability that every sta- 
tion successfully transmits its packet within a given dead- 
line. The reductions presented in this paper, which depend 
on deterministic path compression, do not preserve total 
time elapsed since certain states in the probabilistic timed 
automata where the composite model can count have been 
removed. As a result, paths are replaced with shorter (time 
wise) versions. 

However, one key aspect of our reductions is that they 
affect deterministic and well-defined segments of the au- 
tomata. The intuition is that it should be possible to "com- 
pensate" for the reductions by using additional available 
information. For example, removing the acknowledgment 



protocol has the effect of subtracting a SIFS + A CK period 
for every successful transmission made. On the other hand 
removing DIFS wait results in subtracting DIFS from the 
elapsed time for any transmission made. 

We begin with the traditional "decoration" of a PTA 
in order to verify real time properties, as exemplified in 
111 61 . Assume the existence of a composed state Done, 
which is the composition of the state Done across the com- 
ponents the model. Decorating the PTA involves adding 
a global clock (say y) to the system that counts to- 
tal time elapsed and a state Deadline-exceeded. Edges 
are added from each state other than Done, with guard 
y > deadline to Deadline-exceeded. Every invariant ex- 
cept at Done and Deadline-exceeded is taken in con- 
junction with y < deadline. The objective is to model 
check for the PCTL formula P > \[()Done], which ex- 
presses the soft deadline property. 

We depart from the traditional model by decorating 
the PTA as follows: We define a non-decreasing linear 
function <p(y, X) on the global clock and numerical sys- 
tem variables (which does not include the clock valua- 
tion). The global clock y and state Deadline -exceeded are 
added. Edges are added to Deadline -exceeded with guard 
<j)(y, X) > deadline. Each invariant is taken in conjunction 
with <p(y, X) < deadline. Since the dependence on X may 
be represented as different functions depending on the cur- 
rent state, we do not depart from the traditional definition 
of a PTA. The idea is that while y represents absolute sys- 
tem time, 4>(y, X) represents a corrected version that takes 
into account deterministic path compression. 

In order to compute real time properties, we anno- 
tate the channel with the extra variables transmissions 
and successes, where each is initialized to zero in 
the start state. The former is incremented on every 
synchronization on finish -correct or finish-garbled 
while the latter is incremented only on a syn- 
chronization on finish-correct. Their semantics, 
hence, follow their nomenclature. In the RedLAN 
model, without parameter restrictions, set cj)(y,X) = 
y + successes * (SIFS + ACK) + transmissions * DIFS. 
This function compensates for ack protocol removal by 
adding SIFS + ACK for each successful transmission 
and for DIFS removal by adding DIFS for every trans- 
mission. For the AbsLAN model, we set <fr(y, X) = y, 
reflecting the standard construction. Due to space con- 
straints we omit the proof of correctness of our construction 
here. We essentially need to repeat the proofs referred to in 
Section[6] taking into account the fact that a clock value as- 
signed to y in the original model will be mapped to <p(y, X) 
in the changed model and we are now model check- 
ing for PyxlQDone]. 

We intend to extend our technique for retaining soft 
deadline properties to cover parameter restrictions in future 



Model 


States 


Transitions 


Choices 


Original 


5958233 


16563234 


11437956 


Optimized 


393958 


958378 


598412 



Table 1 : State space size for two stations - Our optimized 
model vs. Kwiatkowska et al. 1151 (original) 



Stations 


3 


4 


States 


1084111823 


1377418222475 


Transitions 


3190610466 


5162674182210 


Choices 


1908688031 


2958322202754 



Table 2: State Space size for three and four stations 
mized models 



Opti- 



work. 

8. Verification Results 

Our verification platform is a 1.2 GHz Pentium III 
server with 1.5 GB of ECC memory and running Linux 
2.4. Our experiments used the Multi-Terminal Binary De- 
cision Diagram (MTBDD) engine of PRISM and all prop- 
erties were checked with an accuracy of 10~ 6 . 



Backoff 


Iterations 


Time 


Maximum 

iVACly\.i.J.ll Hill 


Counter 




(sec) 


Probability 


1 


285 


1428 


1.0 


2 


107 


124 


0.59643554 


3 


259 


1250 


0.10435103 


4 


506 


14183 


0.008170952 


5 


525 


37659 


2.83169319e-4 


6 


947 


246874 


2.85355921e-5 



Table 4: Probability of the backoff counter reaching a spec- 
ified value in the three station case 



Protocol 


Iterations 


Time 


Minimum 






(sec) 


Probability 


G.729(l) 


85 


613 





G.729(2) 


256 


52388 


0.011743453 



Table 5: Minimum probability of meeting the soft deadline 
for the real time case study 



corresponding to acknowledgments from the channel, since 
we no longer model them. 



8.1. State Space Growth 



The largest constant in the model, even after the opti- 
mizations, is 354. This is still prohibitively large. Hence, 
before translating into actual PRISM models, we perform 
a time scaling operation 111 51 PH. For time scaling, we used 
the backoff contention slot length of 50/is and divided all 
guards and invariants by the chosen unit, rounding upper 
bounds on the values of clocks up and lower bounds on 
the values of clocks down. This is the only transformation 
where we loosen the maximal and minimal probabilities to 
bounds rather than exact values. We also removed the states 



Backoff 


Time 


Time 


Maximum 


Counter 


original 


optimized 


probability 




(sees) 


(sees) 




1 


0.69 


0.09 


1.0 


2 


8.95 


1.15 


0.18359375 


3 


37.37 


6.29 


0.01703262 


4 


113.25 


29.12 


7.9424586e-4 


5 


327.04 


120.5 


1.8566660e-5 


6 


970.38 


508.26 


2.1729427e-7 



Table 3: Probability of the backoff counter reaching a 
specified value in the two station case - our model vs. 
Kwiatkowska et al. fJ3 l (original) 



The growth in state space for the multi station problem 
is shown in Tables [2 and |2 We report the number of states 
and transitions in the model. We also report the number of 
choices, which is total number of nondeterministic choices 
summed across all the states of the model. In Table ff| we 
compare our optimized generalized model for the base case 
of two station with the models of |15 |. We show a signif- 
icant improvement in model size. However, when we con- 
sider models of three and four stations in Table|2] the unop- 
timized models obtained by extending those of 1151 cannot 
even be built by the model checker within the resources pro- 
vided. Hence, we only report the state space for our own op- 
timized models. 

8.2. Backoff Counter 

We solve the probabilistic model checking problem of 
computing the upper bound on the probability of the back- 
off counter on any station reaching a specified value. 

As a starting point, we show that our generalized models 
are capable of reproducing the results of the specialized two 
station models of 1151 . In Table ffl we show state space cost 
and in Table [3] we show verification costs. Our results are 
the same as in 1 15 1 but the verification costs are lower. 

The same results in the case of a three station network is 
shown in Table|4] The probabilities are higher than the two 



station case. This is to be expected since three stations rep- 
resents more contention for the channel than the two station 
case. It has been mentioned that the 3 station problem us- 
ing the original unoptimized station models are beyond the 
reach of PRISM on our platform. 

8.3. Voice over 802.11: A Real Time Case Study 

An example of soft deadlines for probabilistic verifica- 
tion is given by the following scenario: An area serviced by 
a single 100 Mbps 802.3 Local Area Network is occupied 
by three overlapping but independent wireless networks, 
each consisting of an access point and n mobile devices. 
All of these are equipped with 802.11 capabilities and the 
access point is distributing voice data to each of the other n 
stations in its network. We consider the specific case where 
n = 7 and we use one of two variants of the G.729 |10| 
voice encoding schemes. In the case of the G. 729(1) vari- 
ant the frame size is 64 bytes and bandwidth requirement is 
33.6 Kbps, resulting in a soft deadline of 2196/is (rounding 
down to get a stricter integral deadline). On the other hand, 
in G. 729(2) with a frame rate of 74 bytes and bandwidth re- 
quirement of 19.2 Kbps, we have a soft deadline 4404/is. 
For soft deadline verification, we start with a model param- 
terized by the frame size. Subsequently, we use the the con- 
struction of Section0on RedLAN for verification. 

The results for the real time voice delivery problem that 
translates into soft deadlines for a three station topology, 
are reported in Table[5] They indicate that in the worst case 
G.729(l) cannot meet the soft deadline requirements while 
G. 729(2) has only a 1% probability of doing so. 

9. Conclusion 

In this paper, we have introduced deterministic path 
compression, a new technique to remove protocol redun- 
dancies. We have been successful in tackling the state space 
problem for the 802.11 wireless LAN protocol. We have 
also shown that it is possible to compute the minimum prob- 
ability of meeting soft deadlines in spite of the optimiza- 
tions. This is surprising because our optimizations, at first 
sight, do not seem amenable to soft deadline verification. 

We are yet to reach a solution that can make verifying 
models with four or more stations feasible. One option is to 
use the optimized models as input to a tool like RAPTURE, 
which can identify dominators at the Probabilistic System 
level, in a manner similar to our approach at the Probabilis- 
tic Timed Automata level. Our work is still essential be- 
cause it brings the model within reach of a tool like RAP- 
TURE. It remains to be seen whether significant improve- 
ments at the Probabilistic System level are possible. There 
are also a number of extensions to the basic access proto- 
col that we have considered. Modeling these would justify 



application of probabilistic verification, which is extremely 
expensive compared to simulation, to real world problems. 
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Figure 3: Removing the ack protocol - An example with 3 
stations 




Figure 4: PTA model for an Abstract Station - represents 
both the sender and destination 
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Figure 6: PTA model for the Channel - Generalized for the 
multiple station case 
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